Apple Classroom: Macs with standard accounts

If the root of what you're trying to get at here is that when you move off mobile accounts, you no longer have access to a user channel for deploying these configurations to users in your environment - it would be helpful if you could file a Feedback with your Developer account with additional details like:

• how are users initially created on your device (including by name any third-party products that may or may not be involved with the login experience)
• how many users are using any one device
• what MDM solution is involved

Feel free to post the FB# in this thread once you've done so, or if you've already filed something along these lines.

If this is not what you're thinking of here, please add additional context and I'll see if I can answer!

I'm not the OP but this issue is extremely important to me and something I've spent countless hours on - So I'm going to jump in and provide some context. Possibly too much!

FB23054233 Classroom on MacOS - Under-utilised due to circumvention and deployment issues.

Preamble: Classroom app is a fantastic tool, the features and native integration are brilliant and the team should be commended but there are deployment blockers that stop it from being mass adopted.

Issue: Classroom on macOS is under-utilised due to being too easy to circumvent by Students or too difficult to configure for IT Admins.

Background: 
Please note that everything I’m discussing is on Multi User Lab or 1:1 School Owned, ASM Registered, Supervised Devices Managed through a Device Management Service.


For simplicity Sake, Classroom requires 3 Things: Same Network, Bluetooth On & Classroom/Education Config.


Classroom can be configured via three methods.

Ad-Hoc: Leaves configuration to teacher, creates support overhead and is not scalable.

Education Configuration Profile: Deployable via MDM. EDU Configs set Student / Teacher Relationship without Managed Apple Accounts. Fantastic for organisations unable to use Managed Apple Accounts or for Lab Machines.

ASM Class Data Synced via Managed Apple Account: Requires User to be signed in with Managed Apple Accounts.

Circumvention Methods:


1. Students Changing Wifi Network - Students are able to change Wifi Networks during School Hours to other networks, dropping the ability for Classroom to function. All Methods of Classroom Configuration Effected.

Solution: FB17222601 Provide forceWifiToAllowedNetworksOnly restriction key for macOS like we have on iOS.


1. Students Turn Off Bluetooth - Students are able to change Bluetooth state dropping Classroom functionality. Existing allowBluetoothModification key freezes Bluetooth in current state, rather than setting it on or off. All Methods of Classroom Configuration Effected.



Solution: FB17222612 Expand allowBluetoothModification restrict key to provide a set On / Off State.


1. Students Signing out of their Managed Apple Account in Settings, dropping the Classroom configuration. This could be solved by restricting allowAccountModification but would require us to implement this only after a Managed Apple Account is signed in, which is not surfaced to the MDM/DDM spec. Similarly, The “Limit Device Sign in to Managed Apple Accounts” option within Apple School Manager is not graunlar enough as while this would solve the issue for Student Devices, our Staff cannot use their personal Apple Account which we want to allow. ASM Managed Apple Account Classroom Configuration Effected.



Solution: FB18518306. Surfacing the ASM “Limit Device Sign In” control to MDM Vendors and being able to scope this to individual groups would solve this issue. Alternatively, surfacing the current logged in iCloud Apple Account to the MDM would allow us to then restrict the ability to sign out, once its logged in. This issue would also be resolved by using MDM Deployable Education Configuration Profile - See Below. 
 Education Configuration Profile Issues:

While EDU Config profiles can stop users from circumventing Classroom control via signing out of their Managed Apple Account, they cannot be used in a vast variety of K-12 Use Cases due to the way User Accounts are typically created in these enviroments. The Education Profile requires the User Channel. User accounts created outside of the setup assistant, like using 3rd party Login Window agents, eg. XCreds, JamfConnect, Iru Passport, Mosyle Auth 2 etc are not MDM-Enabled and as such, cannot have User Channel profiles deployed to them.

In our environment, we have a 1:1 Student Mac Program and some Lab Machines. All are using XCreds for initial user account creation due to the seamless workflow it provides and integration with our IDP & MDM stack. None of these accounts are MDM-Enabled and as a result, cannot use User Channel Profiles, rendering this method of Classroom management impossible.

It is worth noting that in my testing, even if we migrated to PSSO, this would allow the 1:1 Users to become MDM-Enabled, allow for User Channel Profiles and configure Classroom in this manner but this is not the case for our Lab machines. Any secondary users created, after the first user, are not MDM-Enabled. As there is no way at the Device Management Service level to manage the users MDM-Enabled status, these lab machines cannot be managed in this way. 

As an alternative, if we attempted to use ASM Classroom Configuration with Managed Apple Accounts, it would require the student users of the Lab machines to log into the machine with their MAA. This is a non-functional solution as it both takes time away from the lesson and it supposes that the students will not realise that the MAA provides the Classroom management and refuse to log in.

Solution: FB17222496 Resolve the underlying User Channel issue in some way, by allowing MDM’s to mdm-enable users or create a framework to allow users created outside of the setup assistant to become mdm-enabled.

Feedback has been submitted. FB23062470